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Creative Common License 
This body of work is released under the Attribution-ShareAlike version 3.0, Creative Common License. 
The work may be freely distributed or modified for commercial or non commercial purposes. 


If this work is modified, compliance with the Attribution-ShareAlike version 3.0, Creative Common License is 
required. 


These requirements include: 
- Any derivatives of this work must be attributed to David Childers. 


- Alterations, transforming, or building upon this work requires distributing the resulting work only under the 
same, similar or a compatible license. 


For the complete legal code, please refer here: 
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WARRANTY NOTICE 


BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO 
THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, 
EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND 
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE 
COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 


IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT 
HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED 
ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR 
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT 
NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR 
THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH 
HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 
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Foreword 


The FreeBSD operating system offers the ability to install a complete desktop system in addition to being able 
to select and install additional software maintained by the FreeBSD community. 


It is my desire to continue contributing to the FreeBSD community, after having developed the easy 


installation script for the Gnome desktop. | believe it is very important to advance the Open Source software 
movement. 


| would like to thank J. Lenz for providing technical assistance with developing the script, P.E. Henry ETCS(SS) 
USN (Ret) for providing technical assistance with developing the documentation, Scarlet Coker for providing 
assistance with the editing of the manuscript and James Davey at Broadcasting World for allowing me the 
opportunity to create this handbook. 

It is my sincere hope that the reader finds this software script beneficial. 

Amor, Paz e Unidade 


David Childers 
Www.scvi.net 


February 15, 2010 


Distrust and caution are the parents of security. 


Benjamin Franklin 


Please Donate 


If you find this guide useful, please consider 


making a small donation to show your appreciation for my work. 
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Introduction 


The Linux operating system has several scripts that harden various aspects of its internal architecture and 
security. FreeBSD currently has no hardening script that is designed for use on a desktop computer system. 


A default installation of FreeBSD provides excellent security features, however the installation of additional 
software and configuration of FreeBSD for desktop use requires minor system adjustments to achieve the 
maximum security possible. This script enhances system security for a FreeBSD desktop computer. 


What this script does: 


- Modifies the rc.conf file. 

- Modifies the sysctl.conf file. 

- Modifies the TCP/IP stack. 

- Restricts access to configuration files. 

- Restricts the ability of scheduling jobs to root. 

- Secures root directory. 

- Restricts access to system log files. 

- Merges the /var/tmp and /tmp file directories. 

- Enables Blowfish encryption for computer password security. 
- Secures FreeBSD in single user mode. 

- Installs and configures the Network Time Protocol. 


This FreeBSD hardening script can be easily modified to suit specific or special requirements. 


This script is was designed to be primarily run on Desktop FreeBSD systems. 


Important Considerations 
The following are additional recommendations to enhance computer security: 
- Do not run common tasks as a root user. 
- Select strong passwords for both the user and root login. These passwords should contain a minimum of 15 
characters, that should include at least 2 upper case letters, 2 lower case letters, 2 numbers and two special 
characters.” 
- Do not use the same password for both the user and root login. 
- Establish a set routine for changing both the user and root passwords. 
- Do not store access passwords on the computer. 
- Install and run a firewall if the computer is connected to a communications network. 


- Ensure that the firewall is properly configured and only open firewall ports that are absolutely necessary. 


- Keep the operating system and installed applications up to date. It is extremely important to patch and 
update the computer system on a regular basis; especially critical updates. 


- Log out of the computer or lock the computer screen when you are physically away from the computer 
system. 


- Do not execute any applications that are attached in an email correspondence. 
- Do not allow the execution of unknown scripts that are embedded in websites. 


- Routinely back-up data and store sensitive data on removable media. Store removable media properly, and 
consider limiting access to it. 


- Do not install software that can allow remote users to access your computer or allow malicious software to 
modify the computer system. 


- Install and configure FreeBSD jails if you must install software that could allow the computer system to be 
manipulated by remote users. 


The FreeBSD jail mechanism is an implementation of operating system-level actualization that allows 
administrators to partition a FreeBSD-based computer system into several independent mini-systems called 
jails. This is used to protect the computer system from being compromised by running specific software 
applications. 


The FreeBSD Handbook section on jails. 
www.freebsd.org/doc/handbook/jails.html 


Quick guide to ezjail. 
www.scottro.net/qnd/qnd-ezjail.htm! 


- Stay informed of security issues and implement any recommendations or updates. 
www.freebsd.org/security/advisories.html 
www.freebsd.org/doc/en/books/handbook/security-advisories.html 
www.freebsd.org/releases/ 


It is your responsibility to properly maintain your computer and its operating system, utilities, applications, 


and communications connections to prevent security breaches. No security enhancements can overcome 
poor planning or bad security habits. 


THINK BEFORE YOU CLICK 


Using The FreeBSD Hardening Script 


This script will automate the hardening of a FreeBSD desktop computer system. 


(# indicates a typed command.) 

Login on computer as normal user. 

(You must have wget installed: # pkg_add -r wget.) 
- Go to the FreeBSD desktop. 

- Open the command line terminal. 

- Login as SU. 


- Use wget and download the FreeBSD hardening script. 
# wget http://www.scvi.net/freebsd/Gibraltar.txt 


- Use the mv command and rename the file extension from .txt to .sh. 
# mv Gibraltar.txt Gibraltar.sh 


- Change the permission of the script file so that it can be executed. 
# chmod 755 Gibraltar.sh 


- Execute the FreeBSD hardening script. 
# ./Gibraltar.sh 


- After the script has been executed, remove the installation script file. 
# rm -f Gibraltar.sh 


- Log out of SU. 


* Important - Important - Important - Important - Important - Important - Important - Important - Important * 


This script requires additional actions to be performed after the installation is complete. The additional 
actions to be performed are highlighted in bold face text. 


* Important - Important - Important - Important - Important - Important - Important - Important - Important * 


FreeBSD Hardening Script 


#!/bin/sh 
HHEHHHEHHHEEHFHEHERERHRAFHEHRREEHRAHEHRERHRREEREHHEAREEHRAEEHRRERHEAHRHRRAERRRERAERRAE 
HHHEHHHEHHHEEHRFHEHEAERHEEHRREERAHEHREREHRERHRERERHEARERHRARRRERHEAHRHRRARERRRERERRAE 


The FreeBSD System Hardening Script 
David Childers - 15 February, 2010 


This software is released under the Attribution-ShareAlike version 3.0 Licence. 
Wwww.,creativ mmons.ora/licen - 


HHHHEHHEHEEHHHEEHEREEARE RARER REEHRAR ERR HARE RARE RRR ERR EHRRR ERE EE 
HHHHEEHHEEHHAHEHEHEERAREREHREERAEEHRAR ERR RARE RARE RRR ERR R ERR ERA EE 


# If you find this script useful, please consider making a small donation. 
# = https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_ button id=10870717 


HHHHEHEHHEERHHEHAHRERAREREREERREEHRARERREE RARE RARE RRR ERR ERR ERA HE 
HHHEHHEHEHHEEHHHEEHARERRRE RARER RHREEHRAR ERR RARE RARE RARER ERR ERR RRR EE 


# Portions of the script that are marked with bold face type require additional steps to be 
# performed. If these additional steps are not completed, then the changes initiated by this 
# ~~ script will not function properly. 


HEHEHE HEHEHEEHHHREHRAHEEREREREREERREEHRAR ERR HARE RARE RRA ERR EHRAR ERA HE 
HHHHHEHEHHEEHEHHEEHERERRREREREERHREEHRAR ERR RARER RE REAR ERR ERA ERE ESE 


> If you modify the script, make absolutely sure that you use standard quotation marks" " and not word 
> processor quotation marks “ “ in elements that you use the echo function for adding entries to files. 

> Using word processor quotation marks ” “ inside the script will cause the script to not function 

> properly. 


HHHHHAFFHHEHEHEAFHAFEHEERAF FEAF HEHR AERA AHA HE RRA REAR EEREA AA HERAAE EERE ES 
HHHEHHAFEHEHHERAFFHEAFF HEHEHE A AA HEHFHEER RRA AAA RRA REAR REA RAHA RAE RAHA HS 
# 

# This script can be used with either an i386 or amd64 computer. 

# 
HHHHHFFHEHEHRAFFHAFFEHEERA FA EEFHEE RRA AAA HE RRA RAHA AAAS 
HHHEHHFFHEHHEHEAFFHAFFEHERAAFEHEAHER ERA AHA RRA REHEARSE 


The file rc.conf contains descriptive information about the local host name, configuration details for 
any potential network interfaces and which services should be started up at system initial boot time. 


Ensure syslogd does not bind to a network socket if you are not logging into a remote machine. 


oO 


ho 'syslogd_ flags="-ss"' >> /etc/rc.conf 


ICMP Redirect messages can be used by attackers to redirect traffic and should be ignored. 


oO 


ho'icmp_drop_redirect="YES"' >> /etc/rc.conf 


sendmail is an insecure service and should be disabled. 


oO 


ho 'sendmail_enable="NO" >> /etc/rc.conf 


The Internet Super Server (inetd) allows a number of simple Internet services to be enabled, including 
finger, ftp ssh, and telnetd. Enabling these services may increase risk of security problems by 
increasing the exposure of your system. 


oO 


ho 'inetd_enable="NO" >> /etc/rc.conf 


Network File System allows a system to share directories and files with other computers over a network 
and should be disabled. 


HHEHORHHEHHOHHHOHHHOH HHH EHH 


ech 'nfs_server_enable="NO" >> /etc/rc.conf 

ae ‘nfs_client_enable="NO"' >> /etc/rc.conf 

SSHD is a family of applications that can used with network connectivity tools. 

# This disables rlogin, RSH, RCP and telenet. 

ache 'sshd_enable="NO" >> /etc/rc.conf 

: Disable portmap if you are not running Network File Systems. 

ee ‘portmap_enable="NO"' >> /etc/rc.conf 

# Disable computer system details from being added to /etc/motd on system reboot. 

ache ‘'update_motd="NO"! >> /etc/rc.conf 

7 The /tmp directory should be cleared at startup to ensure that any malicious code that may have 

# entered into the temp file is removed. 

ache ‘clear_tmp_enable="YES"' >> /etc/rc.conf 

EE UC COUT EM OEE E ETE Teen Tene ee heen See Nem Tern E wort aT ta gece Snr 
HHHEHHAFHEHHEEAFHHFEHERRAFEHEAEEHEHERA AA EAAEEHE ERA AERAEHRHAR AARP EE 


# 

# The sysctl.conf file allows you to configure various aspects of a FreeBSD computer. This includes many 
# advanced options of the TCP/IP stack and virtual memory system that can dramatically improve 

# performance. 

# 

# Prevent users from seeing information about processes that are being run under another UID. 

# 

echo 'security.bsd.see_other_uids=0' >> /etc/sysctl.conf 

# 

# Generate a random ID for the IP packets as opposed to incrementing them by one. 

# 

echo 'net.inet.ip.random_id=1' >> /etc/sysctl.conf 

# 

# This will discover dead connections and clear them. 

# 

echo 'net.inet.tcp.always keepalive=1' >> /etc/sysctl.conf 

# 

# Enabling blackholes for udp and tcp will drop all packets that are received ona closed port and will not 
# give a reply. 

# 


echo 'net.inet.tcp.blackhole=2' >> /etc/sysctl.conf 

echo 'net.inet.udp.blackhole=1' >> /etc/sysctl.conf 

# 
HHHEHEHFFHEHEERAFFHAFEHEE RAAF HAHAHAHA RA AEE EHEE RRA AERA RARER ERA EE 
a a a a a a a a a a 


# 

# The TCP/IP Stack is what controls the communication of the computer on a data network. 

# 

# Disable ICMP broadcast echo activity. This could allow the computer to be used as part of a Smurf 
# attack. 

# 

sysctl -w net.inet.icmp.bmcastecho=0 


Disable ICMP routing redirects. This could allow the computer to have its routing table corrupted by an 
attacker. 


Fe te He te 


sysctl -w net.inet.ip.redirect=0 
sysctl -w net.inet.ip6.redirect=0 
# 


# Disable ICMP broadcast probes. This could allow an attacker to reverse engineer details of your 

# network infrastructure. 

# 

sysctl -w net.inet.icmp.maskrepl=0 

# 

# Disable IP source routing. This could allow attackers to spoof IP addresses that you normally trust as 

# internal hosts. 

# 

sysctl -w net.inet.ip.sourceroute=0 

sysctl -w net.inet.ip.accept_sourceroute=0 

# 
HHEHHFHHHFEHHFFHEAHFFHREFHRRAERAHERFEHHRRAEHRE HERA R HEHEHE AHRA HARRAH AREER AEA 
HHHEHHHHHFEHRFHAHEFFHHREFERRAEHRAHHEHREFHR RAE HERA R AAR RAAHREAE RAE REAR AEA 
# 

# Disable users from having access to configuration files. 

# 

chmod o= /etc/fstab 

chmod o= /etc/ftpusers 

chmod o= /etc/group 

chmod o= /etc/hosts 

chmod o= /etc/hosts.allow 

chmod o= /etc/hosts.equiv 

chmod o= /etc/hosts.|pd 

chmod o= /etc/inetd.conf 

chmod o= /etc/login.access 

chmod o= /etc/login.conf 

chmod o= /etc/newsyslog.conf 

chmod o= /etc/rc.conf 

chmod o= /etc/ssh/sshd_config 

chmod o= /etc/sysctl.conf 

chmod o= /etc/syslog.conf 

chmod o= /etc/ttys 

# 
HHHEHFHHHFEHFHAHRFFHREAEHERAEHRAHEREFHRRAEHRE AHR AAR AAR RAAHAEAE RARER HARE HEE 
HHHEHHFHHHFEHRHFFEFFFHREFEHERAEHRAHEREFHR RARE HERA HR AAR RA HAHAHAHAHAHA AEE 
# 

# Enable root as the only account with the ability to schedule jobs. 

# 

echo "root" > /var/cron/allow 

echo "root" > /var/at/at.allow 

chmod o= /etc/crontab 

chmod o= /usr/bin/crontab 

chmod o= /usr/bin/at 

chmod o= /usr/bin/atq 

chmod o= /usr/bin/atrm 

chmod o= /usr/bin/batch 

# 
HHHEHHFHHHFEHHHAHEFFEHHREFHERAEHRAHHEREEHRRAEHREHHRAFER AHR RAHHEAR RARER AREER AEA 
HHHHHHHHFEHEHHHEFFHHREEHERAEHRAHEHREFHRRAEHRE HERRERA RAAHRAHAR RAE 
# 

# Secure the root directory contents to prevent viewing. 

# 

chmod 710 /root 

# 
HHHEHHHHHFEHEFHHEFFHHREFRRAERAHERFEHHRRAERE HERA R AAR RA RHEE RARER RARER AEA 
HHHEHHHHHFEHRHFHEHEFHHREHHERAEHRAHEHREFHRRAEHRE HERA RAE RARHEA ARR AAE REE AHEAH 
# 

# Disable user from having access to the system log file directory. 

# 

chmod o= /var/log 

# 
HHEHHHHHFEHFHHEFFHREERRAEHRAHHEREFHRRAEHREHHRAFAR ARE RAEHE AERA AREER AEE 
HHHHHHHHFEHHFHFEFFHHREFER RAE AHEHREHHR RAE HERA AAR RAAHEAEAE RAE EERE AEA 
# 


# Merge all temporary file directories. 

‘ A single directory should be used for temporary files, not two. 

#  The/var/tmp directory will be replaced with a link to /tmp. 

: The contents of the /var/tmp directory remain after a reboot. The contents of the /tmp directory do not. 
a /var/tmp/* /tmp/ 


rm -rf /var/tmp 

In -s /tmp /var/tmp 

# 
HHHEHFHHHFEHFHHEFFHHREAHE RAE AHEHREHHR RARE HERA R RHE RAAHRA HERA REE E AEE 
HHHEHHHHHFHHEHFAHE FEHR EARRAFEHRAHHEHREFHRRAEHRE HERA RAHAERAHHRAAHEHR AERA AEA 
# 

# Enable the use of blowfish password encryption for enhanced password security. 

# 

HHHHHHHHHH 

HHHHHHHHHH 


## (#indicates a typed command.) 


## Manually edit /etc/auth.conf 
## # nano /etc/auth.conf 


## The following lines needs to be added to the /etc/auth.conf file 
##  crypt_default=bif 


## Manually edit /etc/login.conf 
##  # nano /etc/login.conf 


## The password format must be changed from md5 to bif. 
## passwd_format="blif" 


HAHAHA EE 

HHH 

# 

HEHEHE HHEHAEEEHAHEEHAEEHRAREHRERERARE RRA E RRR HRAREHRAR ERA RRR ERR RRR HE 
HHHEHEHHEHEEEHEEHRARERAREHRARERRAE RRA E RRR RAEEHRAR ERA RARE ERR ERR HE 
# 


# Secure FreeBSD in single user mode. 
# 

HHHHHHHHHH 

HHHHHHHHHH 

#H# 

## (#indicates a typed command.) 
#H# 


## Edit the /etc/ttys file: 
## # nano /etc/ttys 


## Find this line in the /etc/ttys file: 
## console none’ unknown off secure 


## change the configuration - secure to insecure 
## console none’ unknown off insecure 


## Insecure indicates that the console can be accessed by unauthorized persons, and is not 
## secure. 


## After rebooting and entering single user mode, the user will be prompted for a password to 
## gain access to the shell prompt. 


HEHEHE EE 
HEHEHE EE 
# 


HHHHHHHHHHEHHHHHFHHFEHHHHEHHEHFHHHEHHHHAHHEHEHAHAHHAHHAHHHHAHHAHRHAHAHHAEHEHE 
HHHHHHHHHHHHHFHFHHEEHHHAHFHFHEHHHHAHAHHEHEHAHAHRHAHEHAHHAHHAHHAHREHAHAHAEHHEHE 
# 

# Installing and configuring the Network Time Protocol service. 

# 

HHHHHHHHHE 

HHHHHHHHHHE 


## = ~=This will enable ntpdate, which will keep the computer date/time correct. 
## (#indicates a typed command.) 


## Manually edit /etc/rc.conf 
## # nano /etc/rc.conf 


## The following line needs to be placed in the /etc/rc.conf file 
##  ntpdate_enable="YES" 


## Select the appropriate ntp server for your location. 


## Manually edit /etc/ntp.conf 
## # nano /etc/ntp.conf 


## The following lines need to be added to the file: 
## (Based upon the ntp server preferences you selected from the list.) 


## server ntplocal.example.com prefer 
## server timeserver.example.org 

## server ntp2a.example.net 

## ~~ driftfile /var/db/ntp.drift 


#H# 
## The server option specifies which servers are to be used, with one server listed on each 
## line. If a server is specified with the prefer argument, as with ntplocal.example.com, that 


## server is preferred over other servers. A response from a preferred server will be 

## discarded if it differs significantly from other servers' responses, otherwise it will be used 
## without any consideration to other responses. The prefer argument is normally used for 
## NTP servers that are known to be highly accurate, such as those with special time 

## monitoring hardware. 


## The driftfile option specifies which file is used to store the system clock's frequency offset. 


HHHHHHHHHH 

HHHHHHHHHH 

# 

HHHEHHAFFHHEHEHEAFFHEAFF EEE RARFHEHEFHEER HERA AHA AEEHE RRA RAHA AA EAREE REE AHH 
HHHEHHFFHEHHEHEAFFHEAFFEHERAAFEHEFHEE RRA AAA AEEE RRA AERA EE REAR AERA ERAS 
# 

echo "End of script." 

# 


Post Script Installation Notes 


It is important to keep your FreeBSD system up to date. This can be accomplished by using the FreeBSD 
update script. It is also recommended that you install additional security enhancement software packages. 


The next section discusses the FreeBSD update script installation and additional recommended software 
packages that should be installed. 


Using The FreeBSD Update Script 
This script will automate the update of the FreeBSD installation, FreeBSD Ports, Installed software and clean 
your system from installation files no longer needed. 
(# indicates a typed command.) 
Login on computer as normal user. 
(You must have wget installed: # pkg_add -r wget.) 
- Go to the FreeBSD desktop. 
- Open the command line terminal. 
- Login as SU. 
# cd /etc/ 


- Use wget and download the FreeBSD update script. 
# wget http://www.scvi.net/freebsd/Update.txt 


- Use the mv command and rename the file extension from .txt to .sh. 
# mv Update.txt Update.sh 


- Change the permission of the script file so that it can be executed. 
# chmod 755 Update.sh 


- Execute the FreeBSD update script. 
# ./Update.sh 


- Log out of SU. 


Note: Leave the FreeBSD update script in the /etc/ directory, so that it can be used again. 


* Important - Important - Important - Important - Important - Important - Important - Important - Important * 


This script requires additional actions to be performed after the installation is complete. The additional 
actions to be performed are highlighted in bold face text. 


* Important - Important - Important - Important - Important - Important - Important - Important - Important * 


FreeBSD Update Script 


#!/bin/sh 
HHEHHHEHHEEHRFHEHEAERHAFHEHREERAFHEHRERHRERHREREEHEAREEHRAEERRERHAHRHRRAERRRRHRERRAE 
HHEHHHEHHHEEHRFHEHERERHRFHEHREREERAFHEHRAEREHRRRERERHERERHRAEERRERHEAHRHRRAERRRRRERRARE 


The FreeBSD Update Script 
David Childers - 15 Dec, 2009 


This software is released under the Attribution-ShareAlike version 3.0 Licence. 
Wwww.,creativ mmons.ora/licen - 


HEHEHE HHEHEEEHHEEHERERARE HERE RREEHRARERREE RAR ERA RE RRR RARER ERR ERR EE 
HHHHEEHHEEHEHHEEHAHEEREREREREERAEEHRAR ERR RARE RARE RRR ERR ERA HARE EE 


# If you find this script useful, please consider making a small donation. 
# = https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_ button id=10870717 


HHHEHEHEHEHEEHHAHEEHEHEERERE RARER RREEHRAR ERR HARE RARE REAR ERR R ERR EHR EE 
HHHEHHEHEHEHEEHHHEEHRARERARE RARER EERAREHRREE RARER RE REAR ERR ERR RARE EE 


> If you modify the script, make absolutely sure that you use standard quotation marks" " and not word 
> processor quotation marks “ “ in elements that you use the echo function for adding entries to files. 

> Using word processor quotation marks ” “ inside the script will cause the script to not function 

> properly. 


HHHHHHHHHHEHFHHHRHAHHHFHEHEHEHEHHEFHFHAHHEHAHAHHAHAHHEHEHHAHHRHAHEHRHAHEEH 
HHHHHHHHHHHFHHFHFHHHEHEHFHEHAHHEFHAHAHHSEHEHAHAHHAHHEHEHHAHHERHAHHHEHEHESH 
# 

# Including this command will eliminate the user interactive prompts when upgrading ports and will use 

# the default configuration for installing them. 


# 

echo 'BATCH=yes' >> /etc/make.conf 
# 

# Update FreeBSD core. 

# 


freebsd-update fetch 

freebsd-update install 

# 

# Update ports collection. 

# 

portsnap fetch 

# 

# Tool to upgrade installed packages. 
# 

pkg_add -r portupgrade 


Update installed ports and packages. 


-a All 
Do with all the installed packages. 
-P Use-packages 
Use packages instead of ports whenever available. 
-R_ Upward-recursive 
Act on all those packages required by the given packages as well. 


He HR HEH HR HH HE 


portupgrade -aPR 
# 


# Clean up all temporary work directories. 

# 

portsclean -C 

# 

# Removeall distfiles that are no longer referenced by any ports. 
# 


portsclean -D 

# 

# Removeall distfiles that are no longer referenced by any port currently installed on your computer. 

# 

portsclean -DD 

# 
HHHHHHHHHHHFHHEHHFHEHHFHEHHFHAHHFHEHHRHEHHFHAHHFHEHHAHAHHAHAHHAHHHHE 
# 

echo "End of script." 

# 


Additional Software Installation 


It is recommended that the following security software is also installed: 
(#indicates a typed command.) 


clamav 
Command line virus scanner written entirely in C. 
# pkg add -r clamav 


Once you have installed clamav, the following steps needs to be performed: 


Manually edit the /etc/make.conf file: 
# nano /etc/rc.conf 


These lines need to be added to the rc.conf file: 
clamav_freshclam_enable=”"YES” 
clamav_clamd_enable="YES” 


Command for starting clamav daemon. 
# /usr/local/etc/rc.d/clamav-clamd start 


Command for updating the clamav virus database. 
# freshclam 


rkhunter 
Rootkit detection tool. 
# pkg add -r rkhunter 


chkrootkit 
Tool to locally check for signs of a rootkit. 
# pkg add -r chkrootkit 


logcheck 
Auditing tool for system logs on Unix boxes. 
# pkg add -r logcheck 


portaudit 
Checks installed ports against a list of security vulnerabilities. 
# pkg _ add -r portaudit 


Run port audit: 
# /uSr/local/sbin/portaudit -Fda 


-F: Fetch the current database from the FreeBSD servers. 
-d: Print the creation date of the database. 
-a: Print a vulnerability report for all installed packages 


Firewall 
Firewall Builder GUI and policy compilers. 
# pkg add -r fwbuilder 


Firewall Builder software configuration. 
www. fwbuilder.org/slideshows/tutorial_ 3/slide_1.html 


Firewall Test - Check for open ports on your computer after a firewall has been installed and configured. 


